b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                       The Internal Revenue Service Should\n                        Improve Mainframe Software Asset\n                          Management and Reduce Costs\n\n\n\n                                        February 20, 2014\n\n                              Reference Number: 2014-20-002\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n Phone Number / 202-622-6500\n E-mail Address / TIGTACommunications@tigta.treas.gov\n Website        / http://www.treasury.gov/tigta\n\x0c                                               HIGHLIGHTS\n\n\nTHE INTERNAL REVENUE SERVICE                       The IRS also does not use asset discovery,\nSHOULD IMPROVE MAINFRAME                           network scanning, license management, and\nSOFTWARE ASSET MANAGEMENT AND                      license metering tools to identify current usage,\nREDUCE COSTS                                       deployment, and inventory of mainframe\n                                                   software and related licenses. The inadequate\n                                                   software license management has resulted in an\nHighlights                                         estimated waste of $11.6 million and\n                                                   overutilization of $1.5 million in license and\n                                                   software subscription support fees.\nFinal Report issued on\nFebruary 20, 2014                                  WHAT TIGTA RECOMMENDED\n\nHighlights of Reference Number: 2014-20-002        TIGTA recommended that the Chief Technology\nto the Internal Revenue Service Chief              Officer develop policies and guidance, an\nTechnology Officer.                                enterprisewide organizational structure, and\n                                                   roles and responsibilities for managing\nIMPACT ON TAXPAYERS                                mainframe software assets and licenses;\n                                                   implement a specialized mainframe software\nComputer software is typically protected by        license management tool(s) and develop\nFederal copyright law, which requires users of     detailed standard operating procedures for using\nsoftware programs to have a license authorizing    those tools; develop an enterprisewide inventory\nsuch use. Software licenses are legal rights to    of mainframe software licensing data and\nuse software in accordance with terms and          maintain the inventory with a specialized\nconditions specified by the software copyright     mainframe software license tool; and maintain\nowner. Software license management at the          data in the inventory system that the IRS can\nIRS is not being adequately performed. Efficient   use to more effectively manage mainframe\nand cost-effective management of the IRS\xe2\x80\x99s         software spending.\nsoftware assets is crucial to ensuring that\ninformation technology services continue to        In their response to the report, IRS management\nsupport the IRS\xe2\x80\x99s business operations and help     agreed with all seven recommendations with\nit to provide services to taxpayers efficiently.   slight modifications to three of them. The IRS\n                                                   plans to enhance policies and guidance, and\nWHY TIGTA DID THE AUDIT                            implement an Enterprise Software Governance\nThe overall objective was to determine whether     Board; clarify the enterprisewide organizational\nthe IRS is adequately managing mainframe           structure including roles and responsibilities for\nsoftware licenses. This audit was included in      mainframe software asset and license\nTIGTA\xe2\x80\x99s Fiscal Year 2013 Annual Audit Plan         management; enhance standard operating\nand addresses the major management                 procedures; continue working to identify and\nchallenge of Achieving Program Efficiencies and    implement a standard enterprise toolkit that can\nCost Savings.                                      discover, track, and manage software license\n                                                   deployment and usage; continue developing a\nWHAT TIGTA FOUND                                   mainframe software inventory and identifying\n                                                   and implementing a standard enterprise toolkit;\nThe IRS is not adequately performing mainframe     and enhance the software inventory process by\nsoftware license management and is not             leveraging tools with the data collected, which\nadhering to Federal requirements and               will be consolidated and maintained in a central\nrecommended industry best practices. The IRS       data repository.\ndoes not have enterprisewide or local policies,\nprocedures, and requirements for mainframe\nsoftware license management and does not\nhave a centralized, enterprisewide\norganizational structure for managing mainframe\nsoftware licenses.\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                          February 20, 2014\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n\n FROM:                       Michael E. McKenney\n                             Acting Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 The Internal Revenue Service Should Improve\n                             Mainframe Software Asset Management and Reduce Costs\n                             (Audit # 201320025).\n\n This report presents the results of our review of the Internal Revenue Service\xe2\x80\x99s (IRS)\n management of mainframe software licenses. The overall objective of this review was to\n determine whether the IRS is adequately managing mainframe software licenses. This review\n was included in the Treasury Inspector General for Tax Administration\xe2\x80\x99s Fiscal Year 2013\n Annual Audit Plan and addresses the major management challenge of Achieving Program\n Efficiencies and Cost Savings.\n Management\xe2\x80\x99s complete response is included in Appendix VI.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. If you have any questions, please contact me or Alan R. Duncan, Assistant\n Inspector General for Audit (Security and Information Technology Services).\n\x0c                                     The Internal Revenue Service Should Improve\n                                       Mainframe Software Asset Management\n                                                   and Reduce Costs\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 3\n          The Internal Revenue Service Does Not Effectively\n          Manage Mainframe Software ....................................................................... Page 3\n                    Recommendation 1:.......................................................... Page 7\n\n                    Recommendations 2 through 5:........................................... Page 8\n\n                    Recommendations 6 and 7: ................................................ Page 9\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 11\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 14\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 15\n          Appendix IV \xe2\x80\x93 Outcome Measures............................................................... Page 16\n          Appendix V \xe2\x80\x93 Glossary of Terms ................................................................. Page 17\n          Appendix VI \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ...................... Page 20\n\x0c        The Internal Revenue Service Should Improve\n          Mainframe Software Asset Management\n                      and Reduce Costs\n\n\n\n\n               Abbreviations\n\nGSA      General Services Administration\nIBM      International Business Machines\nIRS      Internal Revenue Service\nIT       Information Technology\nITIL\xc2\xae    Information Technology Infrastructure Library\nTIGTA    Treasury Inspector General for Tax Administration\n\x0c                             The Internal Revenue Service Should Improve\n                               Mainframe Software Asset Management\n                                           and Reduce Costs\n\n\n\n\n                                         Background\n\nMainframe computing assets play a critical role in the daily operations of the Internal Revenue\nService (IRS) and the administration of the tax code. The IRS mainframe computing\nenvironment provides the processing for mission-critical tax processing systems, including the\nIndividual Master File, Business Master File, Customer Account Data Engine 2, and Integrated\nData Retrieval System.1 The IRS Information Technology (IT) organization has two sections of\nemployees who manage the capacity of the mainframes: the International Business Machines\n(IBM) Corporation platform section and the Unisys Corporation platform section. The IRS runs\napproximately 200 different software products in its mainframe environment. The IRS\npurchases software and support for its mainframe environment through 12 vendor contracts\xe2\x80\x94\none contract for the Unisys mainframe computers and 11 contracts for the IBM mainframe\ncomputers.\nIn a previous Treasury Inspector General for Tax Administration (TIGTA) report,2 we identified\nthat for the desktop/laptop environment and enterprisewide policies, procedures, and\nrequirements, the IRS did not adequately perform software license management and did not\nadhere to Federal requirements and recommended industry best practices. The IRS does not\nhave enterprisewide or local policies, procedures, and requirements for software license\nmanagement. TIGTA reported that the IRS does not have specialized software license tools\ndesigned to be the repository for software and software license deployment. These tools should\nbe used to discover, track, manage, and detect inactive usage of software licenses. Finally, the\nIRS does not have an accurate inventory of software and related licenses that contains licensing\nmodels applicable to each software product which links data on the licenses purchased and\ndeployed with the purchase costs, procurement information, and monitoring and usage data. The\nprior audit focused on the desktop/laptop environment and enterprisewide policies, procedures,\nand requirements for software license management. This audit focused on the software and\nlicense management of the IRS\xe2\x80\x99s mainframe environment.\n\nMainframe software license/asset management\nSoftware asset management is a process for tracking and reporting the use and ownership of\nsoftware assets. Forrester Research Inc. defines software asset management as:\n        The systematic automation of processes to reconcile software licenses and statements of\n        entitlement, maintenance contracts, and original media with installed software and those\n        processes for discovering deployed software assets; to reconcile the assets to their\n1\n See Appendix V for a glossary of terms.\n2\n TIGTA, Ref. No. 2013-20-025, Desktop and Laptop Software License Management Is Not Being Adequately\nPerformed (Jun. 2013).\n                                                                                                  Page 1\n\x0c                           The Internal Revenue Service Should Improve\n                             Mainframe Software Asset Management\n                                         and Reduce Costs\n\n\n       licenses, maintenance contracts, and definitions of entitlement; and to report on\n       compliance and discrepancies in such a way as to minimize the risk of legal action by\n       software vendors as well as loss of service to users or of reputation in the wider world.\nA critical part of software asset management is mainframe software license management. The\nobjective of mainframe software license management is to manage, control, and protect an\norganization\xe2\x80\x99s software assets, including management of the risks that arise from the use of those\nsoftware assets. Proper management of mainframe software licenses helps to minimize risks by\nensuring that licenses are used in compliance with licensing agreements and deployed\ncost effectively, and that software purchasing and maintenance expenses are properly controlled.\nSoftware license management can be difficult because:\n   \xef\x82\xb7   A large amount of information on software and hardware must be discovered and stored.\n   \xef\x82\xb7   These data need to be kept current on more than an annual basis.\n   \xef\x82\xb7   Identifying installed software and software license use may be affected by the\n       complexities in which software is installed and licenses are used.\n   \xef\x82\xb7   Licensing models and definitions may significantly differ depending on the software\n       product and vendor.\nFederal requirements established by Executive Orders, the Federal Chief Information Officer\nCouncil, the National Institute of Standards and Technology, and the Department of the\nTreasury, as well as recommended industry best practices, govern the use and management of\nsoftware licenses. These sources provide guidance to ensure that software licenses are\n1) efficiently purchased and are not being unused or underused, 2) used in compliance with\ncopyright laws, and 3) inventoried through the use of adequate recordkeeping systems which\ncontrol and track the use of licenses.\nThis review was performed at the Enterprise Computing Center in Martinsburg, West Virginia,\nand by contacting IT organization and Agency-Wide Shared Services personnel located at\nNew Carrollton, Maryland; Oxon Hill, Maryland; and Austin, Texas, during the period\nNovember 2012 to August 2013. We conducted this performance audit in accordance with\ngenerally accepted government auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objective. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit objective.\nDetailed information on our audit objective, scope, and methodology is presented in Appendix I.\nMajor contributors to the report are listed in Appendix II.\n\n\n\n\n                                                                                            Page 2\n\x0c                              The Internal Revenue Service Should Improve\n                                Mainframe Software Asset Management\n                                            and Reduce Costs\n\n\n\n\n                                    Results of Review\n\nThe Internal Revenue Service Does Not Effectively Manage\nMainframe Software\nExecutive Order 13103, Computer Software Piracy, requires and Information Technology\nInfrastructure Library (ITIL\xc2\xae) best practices recommend the development of software license\nmanagement policies and procedures and roles and responsibilities. The ITIL and industry best\npractices recommend a centralized, enterprisewide management structure for software asset\nmanagement. These best practices indicate that some of the most significant benefits of software\nasset management, both cost and risk-management benefits, come from managing software on an\nenterprisewide basis. An enterprisewide management structure can actively manage software\nassets to know the location, configuration, and usage history of every product. In addition, an\nenterprisewide management structure supported by an enterprisewide inventory and automated\nsoftware license management tools can better provide procurement staff with the detailed and\naccurate information needed to negotiate flexible, cost-effective contracts and form the basis for\ncost reduction projects such as platform stabilization, volume bundling, securing longer term\nagreements, and vendor or hardware consolidation. In September 2010, the IRS\xe2\x80\x99s Chief\nTechnology Officer outlined a goal to have the IT organization implement the ITIL best practices\nover the next several years. The IRS reported that the IT organization had achieved ITIL\nMaturity Level 3 in October 2012.\nExecutive Orders,3 Department of the Treasury Directive 85-02, Software Piracy Policy,4 and\nInternal Revenue Manual 10.8.25 require and ITIL and industry best practices recommend\ncreating and maintaining accurate enterprisewide inventories of installed software and licenses.\nThese inventories should contain licensing models applicable to each software product and link\nthe data on licenses bought and deployed, including costs. This will help ensure that software\npurchased is not unused or underutilized and that software is used in compliance with copyright\nlaws.\nThe National Institute of Standards and Technology Special Publication 800-53, Recommended\nSecurity Controls for Federal Information Systems and Organizations,6 and Treasury Directive\nPublication 85-01, Treasury IT Security Program,7 require and ITIL and industry best practices\n\n3\n  Exec. Order 13103, Computer Software Piracy (1998) and Exec. Order 13589, Promoting Efficient Spending\n(2011).\n4\n  Dated May 4, 2010.\n5\n  Internal Revenue Manual 10.8.2 (Sept. 9, 2012).\n6\n  Dated Aug. 2009.\n7\n  Dated Nov. 3, 2006.\n                                                                                                      Page 3\n\x0c                            The Internal Revenue Service Should Improve\n                              Mainframe Software Asset Management\n                                          and Reduce Costs\n\n\nrecommend implementing enterprisewide software asset discovery, network scanning, license\nmanagement, and license metering tools. Software asset discovery tools are used to identify\ninstalled software and collect relevant details about each installed software product. Network\nscanning tools are used to detect and remove any unauthorized or unlicensed installed software.\nSoftware license management tools help to ensure compliance with licensing agreements by\ntracking license usage, linking upgrades to original licenses, linking licenses bought to licenses\nused, and managing the stock of unused licenses. Metering tools help to ensure that licenses are\nused cost effectively by detecting installed software that is not being used, is being underutilized,\nor is being overutilized so that the licenses can be managed effectively.\n\nThe IRS does not have defined policies and procedures or roles and\nresponsibilities for mainframe software and license management\nSeveral IRS organizations have mission statements that suggest those organizations have some\nresponsibility for managing the mainframe software assets and licenses. The IT organization\nincludes the following divisions with such mission statements:\n   \xef\x82\xb7   Mainframe Services and Support Division. The mission of this division is to design,\n       develop, deploy, and maintain the IBM and Unisys mainframe systems.\n   \xef\x82\xb7   Security Operations and Standards Division. Part of the mission of this division is to\n       oversee infrastructure inventory, asset management, and procurement.\n   \xef\x82\xb7   Vendor and Contract Management Division. The mission of this division is to maximize\n       the value of information technology investments by implementing effective sourcing\n       strategies, monitoring vendor performance and contract management, and facilitating\n       strong acquisition governance processes.\nWe interviewed management and personnel from the previously mentioned divisions and found\nthat none of the divisions are specifically responsible for maintaining an inventory of mainframe\nsoftware assets and licenses in accordance with Federal requirements and industry best practices.\nIn addition, none were monitoring software usage to ensure compliance with software license\nagreements. Management of the Mainframe Services and Support Division informed us that,\nwhile they do install software products on the mainframe systems, they do not have any\nresponsibilities for maintaining or monitoring a mainframe software inventory that is part of an\noverall IRS enterprisewide software inventory in accordance with Federal requirements and\nindustry best practices. They do not monitor software usage to detect noncompliance with\nsoftware license agreements such as underutilization or overutilization of software licenses.\nThe Acquisition and Contracts Management section of the Security Operations and Standards\nDivision processes software requisitions for most mainframe and server software products. To\nprocess software requisitions, the IT organization works with the customer in preparing,\napproving, and submitting requisitions to the Office of Procurement. While the Acquisition and\nContracts Management section reviews all mainframe and server requisitions, including ones it\n\n                                                                                              Page 4\n\x0c                                 The Internal Revenue Service Should Improve\n                                   Mainframe Software Asset Management\n                                               and Reduce Costs\n\n\ndoes not process, the section does not perform any analysis or report on software contracts or\nlicensing. The section does not perform any comparative analysis of software requisitions to\nsoftware inventory to determine if software purchases could be made more cost effectively.\nVendor and Contract Management Division personnel informed us that, in response to a prior\nTIGTA audit report recommendation,8 they are in the process of developing roles,\nresponsibilities, and standards for an enterprisewide software asset management program.\nHowever, they also informed us that the IRS has not invested in the resources to develop and\nimplement an effective software asset management program. For example, the IRS does not\nhave sufficient tools or the staffing necessary to identify software actually installed on its\nsystems and to help audit compliance with software license agreements so that underdeployment,\noverdeployment, or discontinued use of software licenses can be identified and software\ncontracts and inventory adjusted accordingly. Vendor and Contract Management Division\npersonnel have developed a manual software and license contract management process for the\nIRS\xe2\x80\x99s Microsoft contract and are currently developing a similar process for the IBM software\ncontract. However, these processes are not an enterprisewide software asset and license\ncompliance management program in accordance with Federal requirements and industry best\npractices.\n\nThe IRS does not maintain an inventory of mainframe software in accordance\nwith Federal requirements and industry best practices\nThe IRS does not have an inventory of mainframe software that it manages in accordance with\nFederal requirements and industry best practices. According to Federal requirements and\nindustry best practices, an effective inventory contains licensing models applicable to each\nsoftware product and links data on the licenses purchased and deployed with the purchase costs,\nprocurement information, and monitoring and usage data.\nMainframe Services and Support Division personnel were unable to provide an accurate\ninventory with license information. The license information for each software product is\nmaintained separately in the Office of Procurement contract files. In addition, software usage\nwas not monitored to identify software products installed but not used or to verify compliance\nwith software license agreements. We selected a judgmental sample9 of 30 mainframe software\nproducts to determine if the software products were managed properly. License and usage\ninformation for the 30 software products was not readily available in a software asset\nmanagement inventory. IRS personnel in the Acquisition and Contracts Management section of\nthe IT organization first performed research to identify a contract to associate with each of the\n30 software products. We then obtained information about the software products by manually\nresearching contract files and interviewing technical points of contact and contract\n\n8\n  TIGTA, Ref. No. 2013-20-025, Desktop and Laptop Software License Management Is Not Being Adequately\nPerformed (Jun. 2013).\n9\n  A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.\n                                                                                                              Page 5\n\x0c                             The Internal Revenue Service Should Improve\n                               Mainframe Software Asset Management\n                                           and Reduce Costs\n\n\nrepresentatives for each software requisition. Through interviews, we determined that the\nsoftware products are used; however, due to the lack of readily available usage information, we\ncould not verify the usage or determine if the IRS is in compliance with license agreements\napplicable to the 30 software products reviewed.\nThe IRS does not use asset discovery, network scanning, license management, and license\nmetering tools to identify current usage, deployment, and inventory of mainframe software and\nrelated licenses. Without these tools and a software asset and license management structure in\nplace, the IRS cannot effectively determine if the software contracts it enters into are reflective\nof its current or future projected mainframe software license and support needs. In addition, the\nIRS cannot, from an enterprisewide level, effectively manage its mainframe software and\nlicense compliance to the contract option-year renewals. In September 2007, the IRS entered\ninto a five-year contract for the use and support of IBM software totaling $239 million. In\nSeptember 2012, an external contractor hired by the prime contractor, i.e., IBM, completed a\ncompliance review of the IRS\xe2\x80\x99s contract for IBM software and related licensing. Using asset\ndiscovery, network scanning, license management, and license metering tools, this contractor\nfound several issues that included overutilization and nondeployment of software products which\nthe IRS had purchased under the contract. In turn, the IRS hired its own contractor costing\n$50,000 to evaluate the compliance review results and to assist the IRS in negotiating a new\ncontract agreement. The original compliance review determined that the IRS did not deploy,\ni.e., purchased but did not use, mainframe licenses and software support, resulting in the IRS\nwasting an estimated $11.6 million. Figure 1 provides a summary of the nondeployed software\nlicenses and estimated General Services Administration (GSA) list price costs.\n                               Figure 1: Nondeployed Software\n                                                                  Total GSA List\n                                                 Subscription\n                  Licenses Total GSA List                              Price           Total GSA List\n     Software                                    and Support\n                    Owned           Price                          Subscription          Price Value\n                                                    Paid\n                                                                   and Support\n    Product 1            516          $848,820              516          $130,032              $978,852\n    Product 2            516       $2,167,200               516          $361,200            $2,528,400\n    Product 3            516       $1,590,312               516          $136,224            $1,726,536\n    Product 4            156          $171,132              156           $34,476              $205,608\n    Product 5            156          $571,896              156          $115,440              $687,336\n    Product 6            362          $722,190              362          $109,324              $831,514\n    Product 7            362       $1,444,380               362          $219,010            $1,663,390\n    Product 8             50           $47,400               50             $7,200              $54,600\n    Product 9            362          $595,852              362           $90,500              $686,352\n    Product 10           362          $722,190              362          $109,324              $831,514\n    Product 11           362       $1,263,742               362          $191,498            $1,455,240\n           Total       3,720      $10,145,114             3,720        $1,504,228          $11,649,342\n   Source: TIGTA analysis of IRS and contractor records, 2012 GSA Price List, and discussions with\n   IRS IT organization management and personnel.\n\n                                                                                                     Page 6\n\x0c                           The Internal Revenue Service Should Improve\n                             Mainframe Software Asset Management\n                                         and Reduce Costs\n\n\nThe compliance review also found that the IRS overutilized contracted licenses and software\nsupport on six products with an estimated GSA list price value of $1.5 million. As a result, we\nestimate that the IRS owed an additional $1.5 million in licenses and software support fees at the\ntime of the compliance review.\nThe IRS does not have enterprisewide or local mainframe software asset and license\nmanagement policies and procedures, an asset and license management structure, or defined\nroles and responsibilities in accordance with Federal requirements and industry best practices.\nThe IRS does not have an enterprisewide inventory of mainframe software assets and software\nlicensing data in accordance with Federal requirements and industry best practices. Additionally,\nthe IRS has not identified and implemented automated software license tools for the\nenterprisewide management of mainframe software assets and licenses. This is due, in part, to\nInternal Revenue Manual 2.14.1, Asset Management, Information Technology (IT) Asset\nManagement (November 8, 2011), which states in Section 13.17 that software management is\nunder development and that procedures are being defined.\nThe lack of an enterprisewide inventory with comprehensive data on all mainframe software\nassets and software licensing impedes the IRS\xe2\x80\x99s ability to more effectively analyze the\nrelationships among its software license agreements and vendors to more cost effectively buy\nsoftware licenses and maintenance. Until the IRS addresses the issues presented in this report, it\nis incurring increased risks in managing software licenses. In fact, these deficiencies have\nalready resulted in an estimated waste of $11.6 million and overutilization of $1.5 million in\nlicenses and software support fees on one mainframe software contract.\nThe conditions identified in the compliance review of the IBM mainframe software could exist in\nother mainframe software contracts. The IRS has 11 mainframe software contracts in addition to\nthe IBM contract. If the IRS had the software asset and license management policies,\nprocedures, and tools in place, the other mainframe software contracts could be analyzed for\nadditional cost savings and license compliance.\n\nRecommendations\nTo improve the management of mainframe software licenses based on Federal requirements and\nrecommended industry best practices, the Chief Technology Officer should:\nRecommendation 1:\xc2\xa0\xc2\xa0Develop policies and guidance in the Internal Revenue Manual to\nmanage mainframe software assets and licenses using ITIL best practices.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS will\n       utilize best practices, such as the ITIL, to enhance current policies and guidance for\n       managing software licensing from an enterprise perspective in support of and aligned to\n       Internal Revenue Manual 2.14.1, Asset Management. The IRS will ensure that policies\n       and guidance are aligned to and include the protocols, functions, and decision making\n\n                                                                                            Page 7\n\x0c                           The Internal Revenue Service Should Improve\n                             Mainframe Software Asset Management\n                                         and Reduce Costs\n\n\n       outcomes across Associate Chief Information Officer and other enterprise units by\n       implementing an Enterprise Software Governance Board.\nRecommendation 2:\xc2\xa0\xc2\xa0Develop an enterprisewide organizational structure to manage\nmainframe software assets and licenses.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS will\n       clarify the enterprisewide organizational structure, including roles and responsibilities, in\n       the Internal Revenue Manual for mainframe software asset and license management.\nRecommendation 3:\xc2\xa0\xc2\xa0Develop roles and responsibilities in the Internal Revenue Manual for\nall organizational entities responsible for mainframe software asset and license management.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. However, the\n       IRS believes the efforts that will be carried out for Recommendation 2 of this audit will\n       also achieve the necessary actions for Recommendation 3.\nTo help ensure that the IRS has enterprisewide processes for using mainframe software license\ntools that adhere to Federal requirements and recommended industry best practices, the\nChief Technology Officer should:\nRecommendation 4:\xc2\xa0\xc2\xa0Develop detailed standard operating procedures for using mainframe\nsoftware licensing tools to manage software licenses.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. As part of its\n       enterprise approach, the IRS will enhance standard operating procedures for using\n       existing and/or other toolsets, as appropriate, to manage software licensing for the\n       enterprise.\nRecommendation 5:\xc2\xa0\xc2\xa0Implement a specialized mainframe software license tool(s) designed to\ndiscover, track, and manage mainframe software license deployment and usage. The\nimplementation of the tool should include the development of an enterprisewide, centralized,\nsystematic, and repeatable method to manage and track the deployment of mainframe licenses\nthat can be uniformly used by all organizational entities responsible for managing licenses.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation with a slight\n       modification. Based on experience, there is no single tool that can discover, track, and\n       manage software license deployment and usage. For a prior TIGTA recommendation\n       (Ref. No. 2013-20-025, Recommendation 4), the IRS is already working to identify and\n       implement a standard enterprise toolkit, which may include multiple tools. The IRS\n       believes these efforts will accomplish this recommendation.\n       Office of Audit Comment: During this audit, IRS officials requested that TIGTA\n       report its findings and recommendations specific to the mainframe environment so not to\n       repeat a prior TIGTA audit report\xe2\x80\x99s recommendations. The prior TIGTA report that the\n\n\n                                                                                             Page 8\n\x0c                           The Internal Revenue Service Should Improve\n                             Mainframe Software Asset Management\n                                         and Reduce Costs\n\n\n       IRS referred to is related to the desktop and laptop environment and does not specifically\n       address the mainframe environment.\nTo help ensure that the IRS has enterprisewide processes for mainframe software license\ninventories that adhere to Federal requirements and recommended best practices, the\nChief Technology Officer should:\nRecommendation 6:\xc2\xa0\xc2\xa0Develop an enterprisewide inventory of mainframe software licensing\ndata and maintain the inventory with a specialized software license tool designed to discover,\ntrack, and manage mainframe software license deployment and usage.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation with a slight\n       modification. Based on experience, there is no single tool that can discover, track, and\n       manage software license deployment and usage. For a prior TIGTA recommendation\n       (Ref. No. 2013-20-025, Recommendation 5), the IRS is already developing a mainframe\n       software inventory and will leverage this as a starting point. The IRS is also already\n       identifying and implementing a standard enterprise toolkit, which may include multiple\n       tools. The IRS believes these efforts will accomplish this recommendation.\n       Office of Audit Comment: During this audit, IRS officials requested that we report\n       our findings and recommendations specific to the mainframe environment so not to\n       repeat a prior TIGTA audit report\xe2\x80\x99s recommendations. The prior TIGTA report that the\n       IRS referred to is related to the desktop and laptop environment and does not specifically\n       address the mainframe environment.\nRecommendation 7:\xc2\xa0\xc2\xa0Maintain data in the inventory system that the IRS can use to more\neffectively review mainframe software licensing agreements, purchases, deployment, usage, and\nother related aspects of mainframe licensing to identify additional savings in software spending.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation with a slight\n       modification. While the IRS is currently maintaining a software inventory, it will\n       enhance this process by leveraging tools. Based on experience, there is no single tool\n       that can discover, track, and manage software license deployment and usage. As such,\n       the IRS will identify and implement a standard enterprise toolkit, which may include\n       multiple tools, towards implementing this recommendation. Data collected via the toolkit\n       will be consolidated and maintained in a central repository.\nWhile the IRS agreed with all seven recommendations in the audit report to address the reported\nissues, in its response, the IRS disagreed with three of the audit\xe2\x80\x99s key findings and outcome\nmeasures. Specifically:\n   \xef\x82\xb7   The IRS stated its position that the IRS did not waste $11.6 million and demonstrated it\n       was compliant with IBM software terms for the 11 products.\n\n\n\n                                                                                           Page 9\n\x0c                           The Internal Revenue Service Should Improve\n                             Mainframe Software Asset Management\n                                         and Reduce Costs\n\n\n   \xef\x82\xb7   The IRS stated that at the time of the Deloitte compliance review, the IRS discovered a\n       miscalculation of IBM mainframe sub-capacity that was valued at $642,000 not\n       $1.5 million, and it was immediately corrected.\n    \xef\x82\xb7 The IRS stated it installed IBM Tivoli Asset Discovery for System z in June 2011. The\n      IRS also stated that it provided information to the audit team about this installation and\n      its use of the tool to maintain a software asset discovery and inventory system for the\n      mainframe environment.\nIRS management and the audit team discussed the 11 products detailed in the report. During this\ndiscussion, IRS management agreed that these 11 products were paid for and were never\ndeployed. The IRS was also unable to provide detailed procurement or operational\ndocumentation to determine the length and cost of the products\xe2\x80\x99 non-deployment. Additionally,\nthere was only 1 product of the 11 that the IRS stated was recently purchased and in the process\nof deployment during the 2012 compliance review. IRS management was not able to provide\nany documents or evidence supporting this statement.\nIRS management and the audit team also discussed, in detail, the overutilization of software that\nit says was valued at $642,000 not $1.5 million. We disagree with the IRS\xe2\x80\x99s estimate. The IRS\ndid not have sufficient documentation to support its determination, or supporting documentation\nfor how long this had been occurring. In our estimate of $1.5 million, we used the GSA IBM\ncontract schedule pricing to estimate the value of the overutilization of this software.\nFinally, we analyzed the IRS\xe2\x80\x99s use of the IBM Tivoli Asset Discovery tool for System z and we\ndiscussed its use with IRS management. The IRS only uses the information obtained by this tool\nwhen renegotiating mainframe software contracts. It is not routinely used as a mainframe\nsoftware asset discovery, network scanning, license management, and license metering tool to\nidentify current usage, deployment, and inventory of mainframe software and related licenses in\naccordance with Federal requirement and industry best practices. In its response to\nRecommendation 6, the IRS stated that it is already identifying and implementing a standard\nenterprise toolkit, which may include multiple tools. The IRS believes these efforts will\naccomplish this recommendation.\n\n\n\n\n                                                                                          Page 10\n\x0c                          The Internal Revenue Service Should Improve\n                            Mainframe Software Asset Management\n                                        and Reduce Costs\n\n\n                                                                                 Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the IRS is adequately managing\nmainframe software licenses. To accomplish our objective, we:\nI.     Performed electronic research to identify and review Government criteria and\n       requirements and non-Government best practices for software license management.\n       A. Identified Government criteria and requirements.\n       B. Identified non-Government best practices from recognized organizations.\n       C. Identified Government criteria and requirements and previous IRS software license\n          management findings from TIGTA audit reports.\n       D. Reviewed, analyzed, and summarized the criteria and requirements found that were\n          relevant to the IRS\xe2\x80\x99s management of software licenses.\nII.    Determined if the IRS developed adequate policies and procedures, and roles and\n       responsibilities for the management of software licenses.\n       A. Determined if the IRS had an enterprisewide policy for mainframe software license\n          management that was consistent with the criteria, requirements, and best practices.\n       B. Determined if the IRS had roles and responsibilities for mainframe software license\n          management that were consistent with the criteria, requirements, and best practices.\n       C. Determined if the IRS had business unit policies, procedures, and roles and\n          responsibilities for mainframe software license management that were consistent with\n          the criteria, requirements, and best practices.\nIII.   Determined if the IRS had a centralized mainframe licensing inventory and manages and\n       maintains the inventory with software tools designed for license management.\n       A. Determined if the IRS had a centralized inventory of its mainframe software assets,\n          including licensing data.\n       B. Determined if the IRS had adequately used mainframe software asset discovery tools\n          and usage monitoring tools.\nIV.    Determined if the IRS adequately managed mainframe software licenses on a sample of\n       software products.\n       A. Determined the inventory data the IRS has on its software products.\n\n                                                                                         Page 11\n\x0c                                   The Internal Revenue Service Should Improve\n                                     Mainframe Software Asset Management\n                                                 and Reduce Costs\n\n\n           B. Developed a sampling methodology and selected a judgmental sample1 of\n              30 mainframe software products for review. A judgmental sampling methodology\n              was used because the IRS did not have an enterprisewide valid population of\n              mainframe software from which to sample.\n                1. To select a judgmental sample of software for review, we began with a universe\n                   of 211 IBM mainframe environment software products. We then generated a list\n                   of random integers to judgmentally select 25 products from this universe. We\n                   selected 25 products for review based on the staff resources available to review\n                   the sample. Also, when the selected software product was not suitable for review\n                   due to a lack of information about the product, we selected the next software\n                   product listed.\n                2. We reviewed five Unisys software products that IRS management indicated may\n                   be candidates for cost savings.\n           C. Reviewed the sample of 30 mainframe software products to determine the scope of\n              the IRS\xe2\x80\x99s mainframe software and licensing management and tracking activities.\n           D. On each of the selected software products, obtained additional documentation and\n              interviewed IRS employees as necessary to substantiate the accuracy of the software\n              licensing data being managed and tracked.\n           E. On each of the selected software products, determined if the IRS is managing and\n              tracking licenses.\n           F. On each of the sampled mainframe software products, determined how exceptions or\n              noncompliance with software licenses were resolved.\n           G. Determined if the software licensing data that are managed and tracked on each of the\n              selected software products are shared with the Office of Procurement staff to help\n              better negotiate software license purchases and maintenance agreements with\n              vendors.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: the IT organization\xe2\x80\x99s policies, procedures,\nand processes for managing and tracking mainframe software licenses. We evaluated these\ncontrols by interviewing IT organization management, identifying Federal requirements and\n\n\n1\n    A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.\n                                                                                                               Page 12\n\x0c                           The Internal Revenue Service Should Improve\n                             Mainframe Software Asset Management\n                                         and Reduce Costs\n\n\nindustry best practices for managing and tracking software licenses, and reviewing software\nlicense management and tracking on a sample of mainframe software products.\n\n\n\n\n                                                                                        Page 13\n\x0c                          The Internal Revenue Service Should Improve\n                            Mainframe Software Asset Management\n                                        and Reduce Costs\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nDanny Verneuille, Director\nJohn Ledford, Audit Manager\nRyan Perry, Lead Auditor\nJoan Bonomi, Senior Auditor\nLarry Reimer, Senior Auditor\n\n\n\n\n                                                                                     Page 14\n\x0c                        The Internal Revenue Service Should Improve\n                          Mainframe Software Asset Management\n                                      and Reduce Costs\n\n\n                                                                            Appendix III\n\n                        Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Chief Information Officer for Operations OS:CTO\nAssociate Chief Information Officer, Strategy and Planning OS:CTO:SP\nAssociate Chief Information Officer, User and Network Services OS:CTO:UNS\nDirector, Operations Service Support OS:CTO:UNS:OS\nDirector, Vendor Contract Management OS:CTO:SP:VCM\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluations and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Risk Management OS:CTO:SP:RM\n\n\n\n\n                                                                                  Page 15\n\x0c                           The Internal Revenue Service Should Improve\n                             Mainframe Software Asset Management\n                                         and Reduce Costs\n\n\n                                                                                 Appendix IV\n\n                               Outcome Measures\n\nThis appendix presents detailed information on the measurable impact that our recommended\ncorrective actions will have on tax administration. These benefits will be incorporated into our\nSemiannual Report to Congress.\n\nType and Value of Outcome Measure:\n\xef\x82\xb7   Inefficient Use of Resources \xe2\x80\x93 Potential; $11,649,342 (see page 3).\n\nMethodology Used to Measure the Reported Benefit:\nOn behalf of IBM, a third-party contractor conducted a compliance review of the IRS\xe2\x80\x99s software\nlicense agreements associated with its IBM software contract. The compliance review identified\nthat the IRS had purchased but had not deployed software licenses and related software and\nsubscription support. Specifically, the IRS paid for 11 IBM mainframe software products but did\nnot have them deployed.\nThe IBM contract in effect when the compliance review was performed did not include itemized\npricing information that TIGTA could use to determine the exact cost of the nondeployed\nsoftware licenses and related subscription support. Using the 2012 IBM GSA Price List, the\nonly itemized pricing information available, we estimated that the IRS had purchased and did not\ndeploy $11,649,342 in licenses and software subscription support.\n\nType and Value of Outcome Measure:\n\xef\x82\xb7   Funds Put to Better Use \xe2\x80\x93 Potential; $50,000 (see page 3).\n\nMethodology Used to Measure the Reported Benefit:\nDue to the lack of a mainframe software asset management program, including software asset\nand license management tools that would give the IRS insight into its IBM mainframe software\nlicense compliance, the IRS hired a contractor at a cost of $50,000 to evaluate and verify the\nresults of the compliance audit performed by a contractor hired by IBM.\n\n\n\n\n                                                                                          Page 16\n\x0c                            The Internal Revenue Service Should Improve\n                              Mainframe Software Asset Management\n                                          and Reduce Costs\n\n\n                                                                                        Appendix V\n\n                                 Glossary of Terms\n\n           Term                                               Definition\nBest Practices                 Proven activities or processes that have been successfully used by\n                               multiple organizations.\nBusiness Master File           The IRS database that consists of Federal tax transactions and accounts\n                               for businesses. These include employment taxes, income taxes on\n                               businesses, and excise taxes.\nCustomer Account Data          An IRS application that will replace the existing Individual Master File\nEngine 2                       and Customer Account Data Engine applications. The Customer\n                               Account Data Engine 2 is designed to provide state-of-the-art individual\n                               taxpayer account processing and technologies to improve service to\n                               taxpayers and enhance IRS tax administration.\nExecutive Orders               Legally binding orders given by the President, acting as the head of the\n                               Executive Branch, to Federal Administrative Agencies. Executive\n                               Orders are generally used to direct Federal agencies and officials in their\n                               execution of congressionally established laws or policies.\nExecutive Order 13103,         Requires Federal agencies to develop software license management\nComputer Software Piracy       policies and procedures. It also requires Federal agencies to prepare\n                               inventories of software present on computers to help ensure that\n                               software is used in compliance with copyright laws.\nExecutive Order 13589,         Requires Federal agencies to take inventory of their information\nPromoting Efficient Spending   technology assets and ensure that they are not paying for unused or\n                               underutilized installed software.\nFederal Chief Information      As the principal interagency forum on Federal information technology,\nOfficer Council                the purpose of the Federal Chief Information Officer Council is to foster\n                               collaboration among Federal Government Chief Information Officers in\n                               strengthening Governmentwide information technology management\n                               practices.\nForrester Research Inc.        A global research and advisory firm that provides research guidance to\n                               the information technology industry.\nIndividual Master File         The IRS database that maintains transactions or records of individual tax\n                               accounts.\n\n\n\n                                                                                                 Page 17\n\x0c                            The Internal Revenue Service Should Improve\n                              Mainframe Software Asset Management\n                                          and Reduce Costs\n\n\n\n           Term                                              Definition\nInformation Technology        Provides guidelines for the use and management of software and\nInfrastructure Library        licenses.\n                                       \xc2\xae\n                              The ITIL is a widely accepted set of concepts and practices for\n                              information technology service management derived from user and\n                              vendor experts in both the private and public sectors. The ITIL focuses\n                              on the key service management principles pertaining to service strategy,\n                              service design, service transition, service operation, and continual\n                              service improvement with each principle being covered in a separate\n                              ITIL core publication. Software asset management is a key process\n                              described within the service transition core publication. The ITIL also\n                              has a separate publication entitled Best Practice Software Asset\n                              Management that covers software asset and license management best\n                              practices in more depth than the core publication. ITIL best practices\n                              recommend 1) the development of software license management\n                              policies and procedures, and roles and responsibilities, 2) a centralized,\n                              enterprisewide management structure for software asset management,\n                              3) the use of software license management tools, and 4) the creation and\n                              maintenance of accurate enterprisewide inventories of software licenses.\nInformation Technology        Maturity levels refer to an IT organization\xe2\x80\x99s ability to perform. An\nInfrastructure Library        organization passes through five evolutionary levels as it becomes more\nMaturity Levels               competent.\n                              Level 1: Initial \xe2\x80\x93 Focuses on technology and technology\n                              excellence/experts.\n                              Level 2: Repeatable \xe2\x80\x93 Focuses on products/services and operational\n                              processes, e.g., service support.\n                              Level 3: Defined \xe2\x80\x93 Focuses on the customer and proper service-level\n                              management.\n                              Level 4: Managed \xe2\x80\x93 Focuses on business/information technology\n                              alignment.\n                              Level 5: Optimized \xe2\x80\x93 Focuses on value and the seamless integration of\n                              information technology into the business and strategy making.\nIntegrated Data Retrieval     IRS computer system capable of retrieving or updating stored\nSystem                        information. It works in conjunction with a taxpayer\xe2\x80\x99s account records.\nNational Institute of         A part of the Department of Commerce that is responsible for\nStandards and Technology      developing standards and guidelines for providing adequate information\n                              security for all Federal Government agency operations and assets.\n\n\n                                                                                                Page 18\n\x0c                              The Internal Revenue Service Should Improve\n                                Mainframe Software Asset Management\n                                            and Reduce Costs\n\n\n\n           Term                                               Definition\nNational Institute of           Requires that Federal agencies employ tracking systems, such as\nStandards and Technology        specialized fully automated applications depending on the needs of the\nSpecial Publication             organization, for software protected by quantity licenses to control\n800-53, Recommended             copying and distribution and to help ensure that software is used in\nSecurity Controls for Federal   accordance with licensing agreements.\nInformation Systems and\nOrganizations\nSoftware License Agreement      The legal contract between the owner and purchaser of a piece of\n                                software that establishes the purchaser\xe2\x80\x99s rights. A software license\n                                agreement provides details and limitations on where, how, how often,\n                                and when the software can be installed and used, and provides\n                                restrictions that are imposed on the software. The agreement includes\n                                the licensing model that will be used for defining and measuring the use\n                                of the software. For example, a common simple license model could be\n                                based on how many people can use the software and how many systems\n                                the software may be installed on. Software companies also make special\n                                license agreements for large business and Government entities that may\n                                be different from those provided to the general consumer.\nTreasury Directive              Requires that bureaus periodically scan their networks to detect and\nPublication 85-01, Treasury     remove any unauthorized or unlicensed software.\nIT Security Program\nTreasury Directive 85-02,       Issued to implement Executive Order 13103 and requires that bureaus\nSoftware Piracy Policy          establish and maintain an accurate software inventory to help ensure that\n                                software is used in accordance with software license agreements.\n\n\n\n\n                                                                                                 Page 19\n\x0c         The Internal Revenue Service Should Improve\n           Mainframe Software Asset Management\n                       and Reduce Costs\n\n\n                                                 Appendix VI\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                       Page 20\n\x0cThe Internal Revenue Service Should Improve\n  Mainframe Software Asset Management\n              and Reduce Costs\n\n\n\n\n                                              Page 21\n\x0cThe Internal Revenue Service Should Improve\n  Mainframe Software Asset Management\n              and Reduce Costs\n\n\n\n\n                                              Page 22\n\x0cThe Internal Revenue Service Should Improve\n  Mainframe Software Asset Management\n              and Reduce Costs\n\n\n\n\n                                              Page 23\n\x0cThe Internal Revenue Service Should Improve\n  Mainframe Software Asset Management\n              and Reduce Costs\n\n\n\n\n                                              Page 24\n\x0cThe Internal Revenue Service Should Improve\n  Mainframe Software Asset Management\n              and Reduce Costs\n\n\n\n\n                                              Page 25\n\x0cThe Internal Revenue Service Should Improve\n  Mainframe Software Asset Management\n              and Reduce Costs\n\n\n\n\n                                              Page 26\n\x0c'